1 OpenSSH is almost completely compatible with the commercial SSH 1.2.x.
2 There are, however, a few exceptions that you will need to bear in
5 1. OpenSSH does not support any patented transport algorithms.
7 Only 3DES and Blowfish can be selected. This difference may manifest
8 itself in the ssh command refusing to read its config files.
10 Solution: Edit /etc/ssh/ssh_config and select a different "Cipher"
11 option ("3des" or "blowfish").
13 2. Old versions of commercial SSH encrypt host keys with IDEA
15 The old versions of SSH used a patented algorithm to encrypt their
18 This problem will manifest as sshd not being able to read its host
21 Solution: You will need to run the *commercial* version of ssh-keygen
22 on the host's private key:
24 ssh-keygen -u /etc/ssh/ssh_host_key
26 3. Incompatible changes to sshd_config format.
28 OpenSSH extends the sshd_config file format in a number of ways. There
29 is currently one change which is incompatible with the old.
31 Commercial SSH controlled logging using the "QuietMode" and
32 "FascistLogging" directives. OpenSSH introduces a more general set of
33 logging options "SyslogFacility" and "LogLevel". See the sshd manual
36 4. Warning messages about key lengths
38 Commercial SSH's ssh-keygen program contained a bug which caused it to
39 occasionally generate RSA keys which had their Most Significant Bit
40 (MSB) unset. Such keys were advertised as being full-length, but are
41 actually only half as secure.
43 OpenSSH will print warning messages when it encounters such keys. To
44 rid yourself of these message, edit you known_hosts files and replace
45 the incorrect key length (usually "1024") with the correct key length
48 5. Spurious PAM authentication messages in logfiles
50 OpenSSH will generate spurious authentication failures at every login,
51 similar to "authentication failure; (uid=0) -> root for sshd service".
52 These are generated because OpenSSH first tries to determine whether a
53 user needs authentication to login (e.g. empty password). Unfortunatly
54 PAM likes to log all authentication events, this one included.
56 If it annoys you too much, set "PermitEmptyPasswords no" in
57 sshd_config. This will quiet the error message at the expense of
58 disabling logins to accounts with no password set. This is the
59 default if you use the supplied sshd_config file.
61 6. Empty passwords not allowed with PAM authentication
63 To enable empty passwords with a version of OpenSSH built with PAM you
64 must add the flag "nullok" to the end of the password checking module
65 in the /etc/pam.d/sshd file. For example:
67 auth required/lib/security/pam_unix.so shadow nodelay nullok
69 This must be done in addtion to setting "PermitEmptyPasswords yes"
70 in the sshd_config file.
72 There is one caveat when using empty passwords with PAM
73 authentication: PAM will allow _any_ password when authenticating
74 an account with an empty password. This breaks the check that sshd
75 uses to determined whether an account has no password set and grant
76 users access to the account regardless of the policy specified by
77 "PermitEmptyPasswords". For this reason, it is recommended that you do
78 not add the "nullok" directive to your PAM configuration file unless
79 you specifically wish to allow empty passwords.
81 7. Rhosts authentication does not work
83 Make sure that ssh is installed with the setuid bit set. Note that the
84 Makefile does not do this by default.
86 8. X11 and/or agent forwarding does not work
88 Check your ssh_config and sshd_config. The default configuration files
89 disable authentication agent and X11 forwarding.
91 9. ssh takes a long time to connect with Linux/glibc 2.1
93 The glibc shipped with Redhat 6.1 appears to take a long time to resolve
94 "IPv6 or IPv4" addresses from domain names. This can be kludged around
95 with the --with-ipv4-default configure option. This instructs OpenSSH to
96 use IPv4-only address resolution. (IPv6 lookups may still be made by
97 specifying the -6 option).